安全决策报告

openclaw-memory-auto

Name: openclaw-memory-auto 可信度判断报告
Item: openclaw-memory-auto
Rating: 35
Author: ClawSafe

Skill contains hardcoded absolute Windows paths exposing user identity, undeclared PowerShell script execution, and credential-related keyword harvesting with plausible yet suspicious design patterns.

安装决策优先来源: 手动上传扫描时间: 2026/4/4

文件 24

IOC 2

越权项 2

发现 7

最直接的威胁证据

Skill distributed as legitimate OpenClaw memory plugin via SKILL.md marketing 初始入口 · SKILL.md

Hardcoded Windows username path reveals user identity for targeting recon · index.js

spawns powershell.exe with ExecutionPolicy Bypass to run non-existent scripts 权限提升 · index.js

为什么得出这个结论

2/4 个维度触发

阻止

声明与实际能力

发现 2 项声明之外的能力或越权行为。

复核

隐藏执行与外联

提取到 2 个一般风险产物，需要结合上下文判断。

阻止

攻击链与高危发现

报告包含 6 步攻击链，另有 3 项高危或严重发现。

复核

依赖与供应链卫生

发现 2 项需要关注的依赖或供应链线索。

攻击链

Skill distributed as legitimate OpenClaw memory plugin via SKILL.md marketing

初始入口 · SKILL.md:1

Hardcoded Windows username path reveals user identity for targeting

recon · index.js:62

spawns powershell.exe with ExecutionPolicy Bypass to run non-existent scripts

权限提升 · index.js:67

Extracts messages containing credential-adjacent keywords (password, token, key, secret, api, 密钥, 密码) from chat transcripts

权限提升 · src/archiver.ts:118

Stores credential-adjacent transcript snippets in plaintext memory/YYYY-MM-DD.md files

最终危害 · src/archiver.ts:108

Refinement feature (callAI stub) could be implemented to POST extracted credentials to external AI endpoint

exfiltration_potential · src/refiner.ts:25

风险分是怎么被拉高的

Hardcoded Windows absolute paths +25

Three files contain hardcoded paths with Windows usernames (C:\Users\42517\) — index.js:62, test.js:2, standalone-archive.js: hardcoded transcriptDir — exposing user identity and not declared in SKILL.md

Undeclared PowerShell execution +20

index.js spawns powershell.exe with -ExecutionPolicy Bypass to run archive.ps1 and refine.ps1 scripts that do not exist in the codebase; not declared in SKILL.md

Credential-adjacent keyword harvesting +15

defaults.ts and keywords.json include sensitive keywords (password, token, key, secret, api, 密钥, 密码, 账号) which are used to extract message highlights, potentially capturing sensitive credentials from chat transcripts

Doc-to-code mismatch +15

SKILL.md states 'Pure TypeScript' with no mention of PowerShell scripts, hardcoded paths, or Windows-specific behavior; index.js spawns external scripts with bypassed execution policy

Dynamic import of fast-glob not used +5

src/archiver.ts imports fast-glob then never uses it, and falls back to a hardcoded path; this pattern is commonly used to obfuscate file system enumeration

最关键的证据

高危权限提升

Hardcoded Windows username path leaks user identity

index.js line 62 contains a hardcoded absolute path 'C:\Users\42517\.openclaw\agents\main\sessions' and test.js contains 'C:\Users\42517\.openclaw\workspace'. These expose the Windows username '42517' and indicate the developer built and tested the tool on a real user's machine, with that user's directory structure baked into the code. This pattern is consistent with credential-harvesting malware that probes known user paths.

index.js:62

Remove all hardcoded absolute paths. Use workspace-relative or env-var-based paths only.

高危文档欺骗

Undeclared PowerShell execution with bypassed execution policy

index.js spawns powershell.exe with arguments '-NoProfile', '-ExecutionPolicy', 'Bypass', and '-File' to run archive.ps1 and refine.ps1. Neither script exists in the repository. The -ExecutionPolicy Bypass flag explicitly bypasses PowerShell security policies. SKILL.md makes no mention of PowerShell scripts, external script execution, or Windows-specific behavior, instead describing the tool as 'Pure TypeScript'. This is a significant doc-to-code mismatch.

index.js:67

Either declare and include the PowerShell scripts, or remove the spawn entirely and perform all logic in Node.js/TypeScript.

高危凭证窃取

Sensitive credential keywords used to extract transcript highlights

src/defaults.ts contains a DEFAULT_KEYWORDS array including 'password', 'token', 'key', 'secret', 'api', '密钥', '密码', '账号'. These keywords are used by the archiver to extract 'highlights' from chat transcripts (src/archiver.ts:extractHighlights). The archiver reads all transcript files, filters for messages matching these keywords, and writes snippets to memory/YYYY-MM-DD.md. This means credentials, API keys, and secrets discussed in chat are extracted and stored in plaintext files without explicit user consent in SKILL.md.

src/defaults.ts:21

Either remove sensitive credential keywords from defaults, or explicitly document and request consent for credential extraction in SKILL.md with a clear opt-in mechanism.

中危文档欺骗

SKILL.md claims zero config needed but hardcoded paths require config

SKILL.md advertises 'Zero Configuration: Works out of the box with smart defaults' and 'Pure TypeScript, runs on Windows/Mac/Linux'. However, the actual code contains hardcoded Windows paths that will fail on any non-matching Windows machine or any non-Windows OS. The cross-platform claim is misleading.

SKILL.md:1

Update SKILL.md to accurately reflect platform requirements and remove cross-platform claims unless the hardcoded paths are replaced with dynamic detection.

中危敏感访问

Dynamic fast-glob import with no actual usage

src/archiver.ts imports fast-glob but never calls it. Instead, it falls back to a hardcoded path join(workspace, 'agents', 'main', 'sessions'). The unused dynamic import pattern is sometimes used to evade static analysis tools. The fallback path still ignores the workspace parameter for agents other than 'main'.

src/archiver.ts:94

Either implement proper glob usage or remove the import. Use workspace parameter consistently across all transcript paths.

低危供应链

No version pinning for dependencies

package.json specifies dependencies without version pins: openclaw: '^0.5.0', @types/node: '^20', typescript: '^5'. This allows dependency updates that could introduce malicious code without the skill author's knowledge.

package.json:24

Pin all dependencies to exact versions (e.g., [email protected] without caret).

低危文档欺骗

External URL reference in keywords.json

keywords.json line 2 references 'https://json.schemastore.org/default' for its JSON schema. While this is a legitimate schema store, fetching remote schemas during skill load could be leveraged for data exfiltration or tracking.

keywords.json:2

Remove external schema reference or document the network access in SKILL.md.

声明能力 vs 实际能力

文件系统 阻止

声明 READ

→

推断 WRITE

src/archiver.ts:108 — fs.writeFile for daily logs + marker files; standalone-archive.js — write operations; src/refiner.ts — fs.appendFile to MEMORY.md

网络访问 通过

声明 NONE

→

推断 NONE

refine.js / src/refiner.ts — callAI() stub exists with TODO comment, not yet implemented; keywords.json:2 references external schema URL

命令执行 阻止

声明 NONE

→

推断 WRITE

index.js:67-71 — spawn('powershell.exe', psArgs) with -ExecutionPolicy Bypass

环境变量 通过

声明 NONE

→

推断 READ

Multiple files read process.env.OPENCLAW_WORKSPACE

可疑产物与外联

中危外部 URL

https://clawhub.ai/skills/publish

PUBLISH.md:18

中危外部 URL

https://json.schemastore.org/default

keywords.json:2

依赖与供应链

包名	版本	来源	漏洞	备注
openclaw	`^0.5.0`	npm	否	Caret version allows major updates
fast-glob	`not declared`	dynamic import	否	Imported but not used in src/archiver.ts
@types/node	`^20`	npm	否	Dev dependency, not pinned
typescript	`^5`	npm	否	Dev dependency, not pinned

文件构成

24 个文件 · 1836 行

Markdown 6 个文件 · 798 行TypeScript 8 个文件 · 518 行JavaScript 5 个文件 · 410 行JSON 3 个文件 · 88 行Ignore 1 个文件 · 17 行Text 1 个文件 · 5 行

需关注文件 · 4

src/archiver.ts TypeScript · 190 行

Dynamic fast-glob import with no actual usage

SKILL.md Markdown · 178 行

SKILL.md claims zero config needed but hardcoded paths require config

index.js JavaScript · 81 行

Hardcoded Windows username path leaks user identity · Undeclared PowerShell execution with bypassed execution policy

src/defaults.ts TypeScript · 62 行

Sensitive credential keywords used to extract transcript highlights

其他文件 · screenshot-demo.js · standalone-archive.js · PUBLIC-README.md · README.md · CONFIGURATION.md · refiner.ts +2

24 文件 · 54.5 KB · 1836 行

Markdown 6f · 798LTypeScript 8f · 518LJavaScript 5f · 410LJSON 3f · 88LIgnore 1f · 17LText 1f · 5L

├─ ▾ 📁 src

│ ├─ 📜 archiver.ts TypeScript 190L · 6.4 KB

│ ├─ 📜 config.ts TypeScript 38L · 930 B

│ ├─ 📜 defaults.ts TypeScript 62L · 1.7 KB

│ ├─ 📜 index.ts TypeScript 55L · 1.7 KB

│ ├─ 📜 refiner.ts TypeScript 68L · 2.1 KB

│ ├─ 📜 test.ts TypeScript 18L · 567 B

│ └─ 📜 types.ts TypeScript 57L · 1.1 KB

├─ 📄 .gitignore Ignore 17L · 239 B

├─ 📝 CHANGELOG.md Markdown 28L · 692 B

├─ 📝 CONFIGURATION.md Markdown 130L · 4.0 KB

├─ 📄 LICENSE.txt Text 5L · 85 B

├─ 📝 PUBLIC-README.md Markdown 226L · 5.3 KB

├─ 📝 PUBLISH.md Markdown 58L · 1.4 KB

├─ 📝 README.md Markdown 178L · 4.2 KB

├─ 📝 SKILL.md Markdown 178L · 4.2 KB

├─ 📜 index.js JavaScript 81L · 2.2 KB

├─ 📋 keywords.json JSON 33L · 703 B

├─ 📋 package.json JSON 38L · 793 B

├─ 📜 plugin.ts TypeScript 30L · 894 B

├─ 📜 refine.js JavaScript 53L · 1.5 KB

├─ 📜 screenshot-demo.js JavaScript 99L · 7.8 KB

├─ 📜 standalone-archive.js JavaScript 160L · 5.3 KB

├─ 📜 test.js JavaScript 17L · 542 B

└─ 📋 tsconfig.json JSON 17L · 407 B

安全亮点

No base64-encoded payloads or obfuscated execution observed

No reverse shell, C2 communication, or direct IP network requests found

No ~/.ssh, ~/.aws, or .env file access detected

No curl|bash or wget|sh remote script execution

AI refinement (callAI) is a stub — not actually implemented

Dependencies are from a legitimate registry with no known malicious packages

No hidden instructions in HTML comments or steganography detected